We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

In any case, the new fact sheets provide a useful reminder of the importance of having strong privacy compliance practices in place whenever dealing with health-related information. This is relevant not only to providers of core health services (like doctors, pharmacists, dentists etc) but also to others who may collect health information (like counsellors, gyms, weight loss clinics, child care services and the like). While the fact sheets themselves are not binding, they do give an insight into the OAIC’s expectations and the approach they may take when enforcing privacy laws dealing with health information.

Fact sheet 49: Health information and your privacy

This fact sheet provides an overview of the types of information that may constitute “health information” under the Privacy Act 1988 (Cth) (Privacy Act), which will extend to cover any personal information collected by a health service provider to provide, or in providing, a health service. This is an expansive definition that may capture not only the specifics about your health, but also information that may not strictly have a direct bearing on your health but may be required by the health service provider to deliver their services (such as your name and address), and may include other types of “sensitive information” such as your ethnicity or sexual preferences.

Fact sheet 49 also provides information about:

entities that may be treated as health service providers;

when a health service provider can collect your health information;

what the provider needs to tell you about your privacy;

how the provider can use or disclose your health information; and

what other rights you have - such your right to complain to the health service provider, and failing that, the OAIC, if you are not satisfied with the way in which the health service provider has handled your health information.

The fact sheet deals only with the Federal Privacy Act, and does not cover state and territory privacy laws that govern state and territory public health agencies which are not subject to the Privacy Act. Generally, the state and territory laws follow similar principles in relation to the management of health information. However there may be differences in the way that you can request and obtain access to your information from those health services. We discuss this further below.

This fact sheet provides an overview of the way in which individuals can request access to their health information, such as by requesting access to health records in order to view or take copies of them, or to request that their records be transferred to a new provider.

Fact sheet 50 also provides information about:

when providers can refuse to grant access to health information;

when you can ask for your health information to be corrected;

the fact that health service providers can charge fees for access to your information (being the actual cost to the health service provider to provide the information to you); and

your right to complain to the health service provider, and failing that, the OAIC, if you are not satisfied with the health service provider’s response to your access request.

As flagged above, the Federal Privacy Act will not apply to state and territory public health service providers, meaning that the relevant state or territory law will apply to requests for access to health records from those providers. Generally, state and territory laws are broadly consistent with the Privacy Act with respect to the way in which agencies must handle health information. However, there can be substantial differences in the way in which these laws deal with information access requests. For example, the New South Wales regime broadly aligns with the Privacy Act, whereas in Victoria an individual must make a request under freedom of information legislation, and in Queensland a combination of administrative orders and freedom of information legislation governs this area.

Compare jurisdictions: Data Security & Cybercrime

“I enjoy the CLANZ newsstand and find it highly relevant to my job. I definitely have forwarded various articles to my colleagues on occasion where there is a point of general interest, particularly employment or IT law. I really appreciate the service, it's a quick way for me to keep up to date in a way I wouldn't otherwise have time to.”